Mass domain hijack leaves Reg reader angry with 123-Reg

Updated A customer of domain name and web hosting provider 123-reg blames the firm for a domain hack that redirected surfers to malicious sites pushing a ransomware scam.

The problem was compounded, according to the aggrieved customer, when 123-reg support staff purportedly forgot to tell the customer when they found that the account had been compromised. He alleges they made matters worse by consistently ignoring support requests.

The customer's main sites were hosted with 123-reg’s partner company WebFusion. The person involved, who wishes to remain anonymous, first approached this hosting provider before he eventually realised 123-reg was at the centre of the problem, some days later. 123-reg and WebFusion are both owned by Host Europe Group.

“I went round in circles for three days,” the customer told El Reg. "WebFusion’s techs were telling me that there was nothing wrong, but I kept getting notifications that other sites were also hit. When I asked them to run a low-level scan on the server they simply sent me a link to a site on how to learn Linux.”

Clients of the customer alerted him that their domains were being redirected to a ransomware site on 21 January. Surfers who attempted to visit the affected sites were served malicious code which locked their browsers and falsely warned them they had been caught downloading images of child abuse, in an attempt to extort them into paying a "fine".

Luckily no malicious code was pushed directly into visitors' machines and the browser lock-up problem could be resolved by the judicious use of control-alt-delete.

DNS settings malfeasance

After scanning his servers for malware, the customer drew a blank – but was eventually able to narrow down the cause of the problem to DNS settings manipulation.

"My original thought was that this was a problem with my Webfusion servers. It was only when I received an email reporting an issue on a domain I’ve not created a website for that I realised this was an issue with my domain name registrar," he explained.

“All 120+ domain names had been set to auto-expire; half were redirected to spurious locations and more than a third had compromised DNS, with additional DNS redirects to these ransom sites. I had to go through every single account, one by one, and check every setting. 123-reg, while trying to be helpful, didn’t do a thing.”

The problem was eventually resolved on 24 January but the customer was left dissatisfied by the whole incident, and in particular 123-reg's handling of the problem.

The dodgy domains promoted through the scam were of the form abuse-police(dot)domain(dot)com.

In response to queries from El Reg on the matter, 123-reg spokespersons have stated that the company can't as yet release details of its own internal probe into the matter as it has not received the permission of the customer to do that. However the company did say:

What we can confirm is at this point all indications are that 123-reg has had no compromise of its systems – but they are working to fully verify this. It appears the accountholder's security has been compromised but not through 123-reg’s systems.

123-reg has had related problems in the past. A security hole within 123-reg's management console resulted in the hijacking of 300 domains back in 2012, a problem exclusively revealed by The Reg in March 2013. That problem was eventually tracked down to an open account control panel that had allowed changes to be made without adequate authentication.

Nominet subsequently told us three other registrars had also been affected.

Traffic hijacking

Fraser Howard, a senior virus researcher at UK-based security firm SophosLabs, was able to confirm that the dodgy domains prompted through the scam, and ones like them, were receiving a lot of traffic over the relevant period in January. Sophos wasn't able to say where the traffic originated from.

It might well be that customers of other domain registrars were also affected. All Sophos is able to say for sure is that the scam generated plenty of traffic and the malware involved was among the five most common strains it detected over the relevant period in late January.

"This IS something we have seen. In quite high volume in fact," Howard told El Reg by email.

"Numerous other sites have been similarly affected - or more specifically, DNS settings for such sites have been affected," Howard told El Reg. "I can confirm that the target of the 'traffic hijack' is a malicious web page designed to 'lock' your browser. Sophos detects this malicious HTML/JS as Troj/Ransom-AFD.

"The page contains the typical social engineering intended to trick the user into paying up. For example, claiming to be FBI and have detected child pornography on the machine. Lo and behold, there is a form for the user to make a payment via MoneyPak," Howard added.

The same scam is still ongoing albeit to a lesser extent than in the second half of January, when it hit a peak.

"We are still seeing detections of Troj/Ransom-AFD in customer feedback to this day,” Howard explains. "During the second half of January, Troj/Ransom-AFD was the fifth most prevalent web threat we detected on customer endpoints.

"Curiously, earlier in January, between approx. January 8-20, we were seeing the same attacks, but using outright evil domains, registered for the purpose. [This used] exactly same type of attack - HTML/JS to lock the browser - but using what appears to be throwaway freshly registered dot com registrations. All using subdomain strings to try and make it appear believable," he added.

In some cases, the user is not redirected to ransomware page but a porn site instead.

"Hacking customer DNS settings is done in order to evade reputation filtering technologies. It is not new”, Fraser concluded. Attacks using similar methods date back to at least late 2012.

'Alert police' ransomware

The 123-reg customer seems to have fallen victim to a type of DNS setting manipulation attack that Fraser suspects was carried out using compromised passwords.

"Understanding how the customer accounts were compromised such that DNS settings were updated would be useful. Compromised passwords perhaps? Users need to realise that their DNS config is the key to the kingdom, and as such should be well secured."

The affected 123-reg customer has changed all the passwords for the sites he administers but is still concerned, in the absence of a clear explanation of what happened, about what other steps he might need to take to prevent a repetition of the attack.

"'Alert-police' has shown up in a number of different URLs over the last few days, and they seem to follow a similar pattern to the above, so there's a good chance they're all related," Chris Boyd, malware intelligence analyst at Malwarebytes, told El Reg.

Malwarebytes has not seen the domains mentioned by the 123-reg customer in action – El Reg's understanding is that these have been shown the red card – but it does have some theories on how the attack might have been pulled off.

"It's possible the attackers have gone down the typical route of social engineering the registrar or used a targeted malware attack to gain access to various credentials," Boyd explained.

"This seems to be a fairly standard ransomware campaign - IPs tied to the Russian Federation, potentially compromised URLs mixed in with custom built sites and geographically targeted scare pages," he added. ®

Updated to Add

Since publication of this piece, 123-reg representatives have been in touch with further details. We reproduce their email here in part (verbatim except where noted):

We seek a public redress for the misleading article you published, which [is] potentially damaging to our brand and reputation ...

The allegation that 123-reg was to blame for a customers’ account being compromised is incorrect.

We have evidence to show that the customers’ password was used to access the account and change the settings on it ...

The customer alleged that his account was blocked – we would like to clarify that this did happen at the point we were made aware there was a problem. Our fraud team do this automatically until we can establish why such a compromise has occurred and in the interests of protecting our network. The customer in this instance now has full and complete access to his account ...

We look forward to seeing your published acknowledgement of this piece and our statement in line with this as per the above.